Skip to content
HomeBlogThreat Watch

MFA Fatigue Attacks: When Hackers Spam Your Phone Until You Tap Approve

Smartphone silhouette flooded by a cascade of glowing red notification orbs with one blue orb apart

An MFA fatigue attack — also called push bombing — is brutally simple: a criminal who already has your password triggers sign-in prompt after sign-in prompt, flooding your phone with approval requests until you tap yes just to make it stop. It defeated the defenses of several household-name companies last year, and it works exactly the same against a 20-person firm.

How a push-bombing attack unfolds

  1. The attacker obtains a password. Usually from a phishing page or from the billions of credentials circulating out of old breaches.
  2. They script sign-in attempts. Each one fires a push notification to the victim’s authenticator app. Ten prompts. Thirty. Sometimes at 2 a.m., sometimes spaced through a workday.
  3. They add a story. In the highest-profile case last fall, the attacker messaged the employee claiming to be from IT, promising the prompts would stop once accepted.
  4. Someone taps Approve. Annoyance, sleepiness or the fake IT story does the work. The attacker is now inside with valid credentials — and most alarms stay quiet.

Why MFA fatigue works so well

Push approval was designed for convenience: see prompt, tap yes. After a thousand legitimate taps, the gesture becomes muscle memory with no thought attached — the attack simply weaponizes your own reflex. The prompt also carries almost no context; a generic approval request looks identical whether it’s you in the next room or a criminal on another continent.

Timing does the rest. Attackers fire prompts when judgment is weakest — overnight, mid-commute, mid-meeting — and a single approval is all they need. Across a hundred targeted employees, someone is always tired enough.

And because the sign-in uses a real password plus a real MFA approval, it registers as a normal login. Unless someone is watching for the burst of denied prompts that precedes the breakthrough, the first visible symptom may be a fraudulent wire request sent from a legitimate mailbox.

How to shut push bombing down

None of these fixes require new products — they’re settings and habits layered onto the MFA you already own:

  • Turn on number matching. Instead of tapping Approve, the user types a two-digit code shown on the sign-in screen — impossible to do by accident. Microsoft has been rolling this out as the default behavior for Authenticator, and it’s the single best quick fix.
  • Add context to prompts. Showing the application name and sign-in location turns a blind tap into an informed decision.
  • Limit and lock. Cap denied or failed MFA attempts so a barrage locks the account and raises an alert instead of wearing the user down.
  • Use conditional access. Block sign-ins from countries you don’t operate in and flag impossible-travel logins.
  • Move VIPs to phishing-resistant MFA. Hardware security keys remove the approval decision entirely for admins, executives and finance staff.
  • Train the response. One rule for staff: a prompt you didn’t cause means your password is stolen. Deny it and call IT immediately — the prompts are the alarm bell.

If it’s happening to you right now

Don’t approve anything — not even once, not even to silence the phone, because silencing you is exactly what the attacker is counting on. Change the affected password from a device you trust, tell whoever handles your IT so they can revoke active sessions, and treat any follow-up call or text claiming to be from support as part of the attack. Preserve the sign-in logs, too; the source addresses and timing tell responders how determined the attacker is. At NetSys, a burst of denied MFA prompts on a client account pages a real engineer within minutes, at any hour — that’s the response speed this threat demands.

Key takeaways

  • MFA fatigue starts with a stolen password and wins through sheer annoyance.
  • A prompt you didn’t trigger is proof your password is compromised — deny it and report it.
  • Number matching kills the blind Approve tap and is rolling out in major authenticator apps now.
  • Rate limits, sign-in context and conditional access turn the attack into an alarm.
  • Give admins and executives hardware keys — those accounts are worth the upgrade.

Not sure your MFA setup would survive a determined push-bombing run? Our cybersecurity services team can harden it in a single afternoon.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.